June 21, 2019 13:30
Photo : Freepik
While the Movement Desjardins has been the victim of a security breach, and the case of a insurer american title shows the potential impact of such vulnerability on the targeted institutions. Thus, the insurance company First American has seen around 900 million records being exposed in may last.
In fact, by changing a single digit in the URL address of the digital platform to the insurer, it was possible to have access to a wealth of personal data, many of the essential as the social insurance number and the banking data of the customers. No authentication was required to access these data.
“It is a system that had probably been put in place at the beginning of the years 2000, underlines Jean-Philippe Racine, president of the Group CyberSwat and a specialist in cyber security, in an interview to the Journal of the insurance. Even at that time, it would not have had to be acceptable. “
The latter explains that the programming practices used were not adequate and that the programmers were probably not up to the standards in cybersecurity.
In addition, according to Mr. Root, a simple penetration test would have been able to help to discover the flaw in their computer system. “This test is a simulation of hacking. In normal times, if such a test had been done, the problem would have been discovered by the specialized teams in the matter, ” he said.
Learn from the mistakes of others
Jean-Philippe Racine says that with the reform of the Act respecting the distribution of financial products and services (distribution ACT), which authorizes and oversees since June 13, the sale of insurance products online, insurers will have to learn cases such as that of First American.
“I see a lot of the issues in the coming years, which will be in connection with cyber security. Companies and firms need to put in place the necessary mechanisms to allow for the submission [and the sale] online. People will be requested to provide personal information, it will be necessary, therefore, to be careful not to reproduce the situation of First American, ” said Mr. Root.
According to him, during the implementation of their transaction platform, the insurers should put in place a process of secure identification for all those who have a client file. A two-step authentication, according to him, would also add “an additional layer” in order to be certain that there is no leakage of data.
He also mentioned that the intrusion tests recurring would ensure a proper functioning of computer systems.
“The new regulations are forcing insurers to think of the way they set up their system. Specifically, it will be necessary to make at least one safety test a year, which will have to be done by experts to validate what is, ” said Jean-Philippe Racine. Internally, companies must ensure that they are up to date and that they regularly put in place new protections. After all, every day, there are new vulnerabilities that are created. It must therefore constantly be on the lookout. “